Ask Your Question
0

I have filtered bt-dht UDP packets. Can Wireshark decode the bencoding for me?

asked 2019-03-18 22:43:03 +0000

JimDeLaHunt gravatar image

I am a new user of Wireshark, looking to diagnose a problem with two Transmission bit torrent peers not finding each other. Thank you to everyone who helped build this marvellous product. I feel like a superhero when I use it!

I was able to filter out a set of UDP packets which are all bencoded. I think most of them are Bittorrent Distributed Hash Table (DHT) traffic. But while bencoded packets are somewhat readable in the hex display, it would be much easier to read a decoded form.

Is there a way to tell Wireshark that all packets in the filtered list of packets it is displaying conform to the bt-dht protocol, or are bencoded, and have Wireshark decode them into a more human-readable form?

I suppose my fallback could be to export the packets, then write a program to read them in and perform the bencoding. I could do that. But first, since Wireshark does so much else, I'd like to know if it can do this.

I am using Wireshark 1.12.8 (X11) on Mac OS X 10.11 installed via Mac Ports. That's the most current version they have for me. I could install Wireshark 2.6.7 via the official .dmg, and will do that if it helps. My Mac OS version is too old to be able to use the current Wireshark 3.0.0, it says.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2019-03-22 03:37:11 +0000

JimDeLaHunt gravatar image

The answer is yes! Wireshark will be happy to decode the bencoding, and interpret those packets as bt-dht. However, you need to tell Wireshark to do it.

Here is what to do:

  1. Capture a sequence of packets, including BitTorrent Mainline DHT packets to and from the port which your BitTorrent client uses.
  2. In Wireshark, in the Analyze menu, select the Enabled Protocols… item. The Enabled Protocols dialogue appears. It refers to a Profile, so you may be able to save these settings.
  3. In the Enabled Protocols dialogue, scroll down to the entry "BT-DHT" (BitTorrent DHT Protocol). Be sure the checkbox in the left column is checked.
  4. Click OK. The Enabled Protocols dialogue disappears.
  5. In the packet listing, select a packet to or from your BitTorrent client. A filter of udp.port == 51413 (or whichever port your client uses) will ensure that the list contains only BitTorrent packets.
  6. In the Analyze menu, select the Decode As… item. The Decode As dialogue appears.
  7. In the Decode As dialogue, specify that the UDP port equals (the port number used by your BitTorrent client, e.g. 51413). In the menu of protocols on the right, select the "BH-DHT" protocol. The details of this dialogue differ between Wireshark 1.2.8 and 2.6.7, so look to the Decode As dialogue documentation for specifics.
  8. Press OK. The Decode As dialogue disappears. In the middle pane of the main Wireshark window, where there are a list of lines for the layers of protocols of the current packet, there will be an entry underneath "User Datagram Protocol". It reads "BitTorrent DHT Protocol".
  9. Click the disclosure triangle to the left of the line, "BitTorrent DHT Protocol". The DHT fields of the current packet appear.

From there, it's pretty straightforward to explore.

The fields of the BT-DHT are given in the Display Filter Reference pages for BitTorrent DHT Protocol.

From the "Type" column on this page, you can determine how to build display filters for DHT packets. A field which has Type of "Label" cannot be used with == or other operators. You can only search for its presence: bt-dht.peer finds packets which contain Peer fields, probably as a response to a request. A field which has the type of "string" can be compared using quoted strings, or unquoted hex for a binary string value: bt-dht.bencoded.string == 64230fc9afbef7ff8d7986403109b408d1360c15 finds packets containing a binary string which is represented as that hexadecimal value. In my case, it is the infohash of a torrent I want to share.

Using display filter expressions in a similar way, you can colour packets according to different stages in the DHT protocol. But that is a topic for a different note.

This worked for me in both Wireshark 1.2.8, installed from macports and running under X11, and Wireshark 2.6.7, installed as a Mac app downloaded from wireshark.org. In both cases my OS is macOS 10.11 El Capitan.

edit flag offensive delete link more

Comments

How would you see what was downloaded?

MrDevinMeek gravatar imageMrDevinMeek ( 2022-03-19 10:42:23 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-03-18 22:43:03 +0000

Seen: 4,113 times

Last updated: Mar 22 '19